In the previous quickstarts we explored both API access and user authentication.
Now we want to bring the two parts together.

The beauty of the OpenID Connect & OAuth 2.0 combination is, that you can achieve both with
a single protocol and a single exchange with the token service.

In the previous quickstart we used the OpenID Connect implicit flow.
In the implicit flow all tokens are transmitted via the browser, which is totally fine for the identity token.
Now we also want to request an access token.

Access tokens are a bit more sensitive than identity tokens, and we don’t want to expose them to the “outside” world if not needed.
OpenID Connect includes a flow called “Hybrid Flow” which gives us the best of both worlds,
the identity token is transmitted via the browser channel, so the client can validate it before doing any more work.
And if validation is successful, the client opens a back-channel to the token service to retrieve the access token.

There are not many modifications necessary. First we want to allow the client to use the hybrid flow,
in addition we also want the client to allow doing server to server API calls which are not in the context of a user (this is very similar to our client credentials quickstart).
This is expressed using the AllowedGrantTypes property.

Next we need to add a client secret. This will be used to retrieve the access token on the back channel.

And finally, we also give the client access to the offline_access scope -
this allows requesting refresh tokens for long lived API access: